(ISC)², an international non-profit membership association of certified cybersecurity professionals, highlighted the growing levels of operational risks and the evolving role of the CISO (Chief Information Security Officer) during Infosecurity Middle East, which was jointly organized by the UAE Ministry of Interior and Reed Exhibitions in Abu Dhabi this week.

(ISC)²’s Global Information Security Workforce Survey reveals that only 19% of Middle East participants can attribute the majority of the security breaches experienced by their companies to known vulnerabilities. Highlighting this concern in his keynote address, Dr. Adrian Davis, CISSP, (ISC)²’s Director of Cybersecurity Advocacy for the EMEA region, discussed the increasing impact of disruptive technologies on companies, particularly the evolving ecosystem of Internet of Things (IoT) and the proliferation of artificial intelligence and machine learning solutions, at a time when global and local cybercrime rates are being reported at an all-time high. [1]

Davis called on companies to: “Change their conversations about information and cybersecurity so that they can elevate the importance given to the risks. We are constantly challenged by the pace of change in organisations as new technology and processes are introduced without adequately engaging security teams. These teams, now chronically understaffed, are working long hours to address the fall out and struggle to gain the visibility needed, leaving much to remain poorly understood outside of their practice.”

Dr. Davis’ session was complemented by Tamer Gamali, CISSP, CISO of Mashreq Bank and member of (ISC)² EMEA Advisory Council, who hosted a closed roundtable discussion within Infosecurity’s CISO Programme. The session, focused on how the role is evolving, prompted frank discussion on whether today’s cybersecurity leaders are positioned to mitigate the operational risks they are tasked to manage.

According to Gamali: “Cyber risks can be very difficult to quantify and continue to be overshadowed by the focus on financial risks that is given at the top levels of the organisation. Today, however, we are in a business environment where the damage to reputation associated with cyber threats – an operational risk – can exceed traditional financial risk, and we are playing catch up with those who have developed the capability to do us harm.”

“I am not suggesting that security is being ignored: Companies are increasing their investments and working to improve their security stature, but it isn’t enough,” warned Davis. “Companies must now acknowledge that the measures undertaken are insufficient as they are not standing up in the face of the targeted real-world attacks that we are seeing today.”

To take back control, Davis advised delegates to boost organisation-wide competence in cybersecurity and sharpen the focus on operational risk:

Acknowledge that cyber risk is a business concern, not just a technical one;

Assess the impact of new technologies on traditional business models;

Appoint an independent Chief Information Security Officer and;

Develop cybersecurity competence across the organisation within IT, business and innovation teams